MFA reset policy

Draft policy Infra will update this page with further details, replacing the TBD notes, as they become available, and will make an announcement when the policy comes into force.

Resetting MFA

Resetting a committer's MFA may be necessary because:

  • The committer has lost access to the MFA devices
  • The committer's MFA has been compromised in some way
  • Other reasons

There will be at least two methods to restore MFA:

  1. The committer uses a recovery key that they had previously downloaded from Keycloak during initial MFA setup.

    • Visit (URL TBD) to reset MFA using a recovery key.
  2. The committer establishes their identity with the ASF via one or more of the following methods:

    • Provide proof of ownership of the ASF linked GitHub account to Infra via a process TBD.
    • Provide proof of ownership of the GPG key associated with the ASF ID via a process TBD.
    • Fill out a form TBD containing the information the committer provided on their original ICLA. Infra will perform address/signature validation

If a committer has lost their ASF MFA, GitHub 2FA, their GPG private key/passphrase, and Infra is unable to perform ICLA validation, the person will need to work with their project to be considered as a new committer, and will need to go through the new committership/new account process. The old account is unrecoverable and will be disabled.

Copyright 2024, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache feather logo are trademarks of The Apache Software Foundation.